[strongSwan] Challenges with MacOS Roadwarrior
Tom Rymes
trymes at rymes.com
Thu Jan 25 22:40:50 CET 2018
I have spent a fair amount of time lurking and searching for the answers
to this, and I am fairly certain that I have overlooked something basic,
such as putting the right data in the proper SAN. Unfortunately, the
learning curve here seems to be quite steep, and I am not keeping up.
Regardless, I cannot get a working RW connection to a MacOS client using
machine certs. Windows 10 works just fine.
I have tried various combinations of leftid and rightid, along with
adding different things to the SAN field of the responder's cert, but
nothing so far has done the trick.
I did notice lines similar to these when trying various different rightids:
"id '%any' not confirmed by certificate, defaulting to 'C=US, ST=ST,
O=MyOrg, OU=Engineering Dept., CN=RW'"
Can someone please (gently) point out the dumb mistake I have been making?
The error indicates that StrongSwan (5.6.1) cannot find a valid peer
config, which is why I have been trying to fiddle with the left/rightid
and the cert SANs.
Many thanks,
Tom
PS: I am attempting to make this work using the built-in VPN client on
MacOS 10.11 - without importing a special configuration file, just using
System Preferences.
Error:
Jan 25 14:48:06 myhost charon: 09[NET] received packet: from
x.x.x.x[500] to y.y.y.y[500] (604 bytes)
Jan 25 14:48:06 myhost charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jan 25 14:48:06 myhost charon: 09[IKE] x.x.x.x is initiating an IKE_SA
Jan 25 14:48:06 myhost charon: 09[IKE] x.x.x.x is initiating an IKE_SA
Jan 25 14:48:06 myhost charon: 09[IKE] remote host is behind NAT
Jan 25 14:48:06 myhost charon: 09[IKE] sending cert request for "C=US,
ST=ST, L=TownA, O=MyOrg, OU=Engineering Dept., CN=MyOrg CA, E=me at domain.dom"
Jan 25 14:48:06 myhost charon: 09[IKE] sending cert request for "C=US,
ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept., CN=MyOrg CA, E=me at domain.dom"
Jan 25 14:48:06 myhost charon: 09[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Jan 25 14:48:06 myhost charon: 09[NET] sending packet: from y.y.y.y[500]
to x.x.x.x[500] (493 bytes)
Jan 25 14:48:06 myhost charon: 11[NET] received packet: from
x.x.x.x[4500] to y.y.y.y[4500] (512 bytes)
Jan 25 14:48:06 myhost charon: 11[ENC] unknown attribute type (25)
Jan 25 14:48:06 myhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 25 14:48:06 myhost charon: 11[CFG] looking for peer configs matching
y.y.y.y[@myhost.domain.dom]...x.x.x.x[me at domain.dom]
Jan 25 14:48:06 myhost charon: 11[CFG] no matching peer config found
Jan 25 14:48:06 myhost charon: 11[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 25 14:48:06 myhost charon: 11[IKE] peer supports MOBIKE
Jan 25 14:48:06 myhost charon: 11[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jan 25 14:48:06 myhost charon: 11[NET] sending packet: from
y.y.y.y[4500] to x.x.x.x[4500] (80 bytes)
Config:
version 2
conn %default
keyingtries=%forever
include /etc/ipsec.user.conf
conn RW2
left=y.y.y.y
leftsubnet=0.0.0.0/0
leftsendcert=always
leftallowany=yes
rekey=no
leftfirewall=yes
lefthostaccess=yes
right=%any
leftcert=/var/ipfire/certs/hostcert.pem
rightcert=/var/ipfire/certs/RW2cert.pem
ike=aes256-sha2_256-modp1024,aes192-sha2_256-modp1024,aes128-sha2_256-modp1024
esp=aes256-sha2_256-modp1024,aes192-sha2_256-modp1024,aes128-sha2_256-modp1024
keyexchange=ikev2
ikelifetime=3h
keylife=1h
dpdaction=clear
dpddelay=30
dpdtimeout=90
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=add
rightsourceip=10.100.2.200/21
fragmentation=yes
StrongSwan's Cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept.,
CN=MyOrg CA/emailAddress=me at domain.dom
Validity
Not Before: Jan 25 18:19:07 2018 GMT
Not After : Dec 22 18:19:07 4755 GMT
Subject: C=US, ST=ST, O=MyOrg, OU=Engineering Dept.,
CN=myhost.domain.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<snip>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3D:37:14:B8:B4:6A:AD:44:D2:C2:66:BE:10:6B:99:E1:95:29:CD:9D
X509v3 Authority Key Identifier:
keyid:53:89:48:5A:AD:A2:81:01:DC:C9:0B:F6:15:25:78:9C:96:AA:5E:73
DirName:/C=US/ST=ST/L=TownB/O=MyOrg/OU=Engineering
Dept./CN=MyOrg CA/emailAddress=me at domain.dom
serial:CA:95:8A:1F:26:B5:A1:D7
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:myhost.domain.dom, DNS:y.y.y.y, IP Address:y.y.y.y
Signature Algorithm: sha256WithRSAEncryption
<snip>
Mac Client's Cert:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept.,
CN=MyOrg CA/emailAddress=me at domain.dom
Validity
Not Before: Jan 25 20:18:53 2018 GMT
Not After : Dec 22 20:18:53 4755 GMT
Subject: C=US, ST=ST, O=MyOrg, OU=Engineering Dept.,
CN=Roadwarrior User
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<snip>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:29:A4:81:79:B7:1D:4C:BE:0F:DB:9F:8B:CC:AE:26:13:D3:82:73
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:53:89:48:5A:AD:A2:81:01:DC:C9:0B:F6:15:25:78:9C:96:AA:5E:73
DirName:/C=US/ST=ST/L=TownB/O=MyOrg/OU=Engineering
Dept./CN=MyOrg CA/emailAddress=me at domain.dom
serial:CA:95:8A:1F:26:B5:A1:D7
X509v3 Subject Alternative Name:
email:me at domain.dom
Signature Algorithm: sha256WithRSAEncryption
<snip>
More information about the Users
mailing list